Check the security level when building sigalgs

ok beck jsing
author: tb <> 2022-06-29 07:53:58 +0000
committer: tb <> 2022-06-29 07:53:58 +0000
commit: 4971137ca5f4d3de0801bec3fdc944bc625b0211 (patch)
tree: 594c4dd3136308d7d86b9e285e5fb25707f9d3f1 /src
parent: 5a8ebcd55cb4d2f98af3f413f2ae8601241f0891 (diff)
download: openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.tar.gz
openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.tar.bz2
openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.zip
4 files changed, 20 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 79239ef597..8a1b5f5198 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.42 2022/06/29 07:53:00 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.43 2022/06/29 07:53:58 tb Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -241,11 +241,13 @@ ssl_sigalg_from_value(SSL *s, uint16_t value)
 }
 int
-ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
+ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
 {
+        const struct ssl_sigalg *sigalg;
        const uint16_t *values;
        size_t len;
        size_t i;
+        int ret = 0;
        ssl_sigalgs_for_version(tls_version, &values, &len);
@@ -254,12 +256,17 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb)
                /* Do not allow the legacy value for < 1.2 to be used. */
                if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
                        return 0;
-                if (ssl_sigalg_lookup(values[i]) == NULL)
+                if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
                        return 0;
+                if (sigalg->security_level < security_level)
+                        continue;
                if (!CBB_add_u16(cbb, values[i]))
                        return 0;
+                ret = 1;
        }
-        return 1;
+        return ret;
 }
 static const struct ssl_sigalg *
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 9f4a3a3c33..5be2122906 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.24 2022/06/29 07:53:00 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.25 2022/06/29 07:53:58 tb Exp $ */
 /*
 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
 *
@@ -69,7 +69,7 @@ struct ssl_sigalg {
        int flags;
 };
-int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb);
+int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level);
 const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey);
 const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey,
    uint16_t sigalg_value);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 20660cbf27..97077a3380 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.143 2022/06/28 14:51:37 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.144 2022/06/29 07:53:58 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1567,8 +1567,8 @@ ssl3_send_certificate_request(SSL *s)
                        if (!CBB_add_u16_length_prefixed(&cert_request,
                            &sigalgs))
                                goto err;
-                        if (!ssl_sigalgs_build(
+                        if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version,
-                            s->s3->hs.negotiated_tls_version, &sigalgs))
+                            &sigalgs, SSL_get_security_level(s)))
                                goto err;
                }
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 53d40157e9..8faf90fde0 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.113 2022/06/04 07:55:44 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.114 2022/06/29 07:53:58 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -587,7 +587,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                return 0;
-        if (!ssl_sigalgs_build(tls_version, &sigalgs))
+        if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s)))
                return 0;
        if (!CBB_flush(cbb))
                return 0;
@@ -623,7 +623,8 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                return 0;
-        if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs))
+        if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs,
+            SSL_get_security_level(s)))
                return 0;
        if (!CBB_flush(cbb))
                return 0;
author	tb <>	2022-06-29 07:53:58 +0000
committer	tb <>	2022-06-29 07:53:58 +0000
commit	4971137ca5f4d3de0801bec3fdc944bc625b0211 (patch)
tree	594c4dd3136308d7d86b9e285e5fb25707f9d3f1 /src
parent	5a8ebcd55cb4d2f98af3f413f2ae8601241f0891 (diff)
download	openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.tar.gz openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.tar.bz2 openbsd-4971137ca5f4d3de0801bec3fdc944bc625b0211.zip